SlideShare ist ein Scribd-Unternehmen logo

PKI Interoperability

Conferencias FIST
Conferencias FIST
Technologie
1 von 32
Downloaden Sie, um offline zu lesen
FIST Conference September/Madrid 2005 PKI Interoperability Raúl Guerra Jiménez
About the Author Raúl Guerra Jiménez CISSP, CISA Technical consultant Grupo SIA 1989 www.siainternational.com 2
Index Cryptography Public Key Infrastructure (PKI) Applications Integration e-DNI 3
Security Requirements Confidentiality. Ensure confidentiality of data. Integrity. The original data has not been changed. Authentication. Proof of identity. Non Repudiation. Prevent denial of transaction. The originator cannot deny it. 4
Paradigm Solution CONFIDENTIALITY INTEGRITY AUTHENTICATION NON-REPUDIATION HASH ENCRYPTION DIGITAL SIGNATURE PUBLIC KEY ENCRIPTION DIGITAL CERTIFICATE CERTIFICATION AUTHORITY PUBLIC KEY INFRASTRUCTURE (PKI) 5
PKIs are not CAs… PKI: • Issue certificates • Revoke certificates • Key management – Creation CA: – store • Issue certificates – Update • Revoke certificate – backup/recovery • Cross-certification • Certificate Repository (Directory) • Application software • RA (Registration Authority) • Client • etc
Third-party trust Certification Authority Trust Trust Raúl Raquel “third-party trust” 7
Cross-Certification Cross-Certification Certificaction Authority Certification Authority third-party trust Alicia Juan Elena Pedro AC “A” AC “B” 8
Subordinate CA CA1 (“Root”) CA2 CA3 CA4 CA5 CA6 CA7 U1 U2 U3 U4 U5 U6 U7 U8 U9 Classical trust-model has no end root
The certificate Version: 3 Serial Number: 8391037 Signature: RSA Issuer: o=SIA, c=ES Validity: 1/5/97 1:02 - 7/5/98 1:02 Subject: cn=Raúl Guerra, o=SIA, c=ES Subject Public Key Info: ---------------------------------------------------- Extensions SubjectAltName: rguerra@sia.es CRL DP:cn=CRL2, o=SIA, c=ES The CA signs the certificate 10
Certificate Revocation List Unique name of CRL DN: cn=CRL2, o=SIA, c=ES Period of validity Start: 1/5/97 1:02 End: 1/6/97 1:02 Revoked: Serial number 191231 4/24/96 10:20 Cessation of of Operation Revoked 123832 4/25/ 16:20 Key Compromise certificates 923756 4/25 16:30 Affiliation Change and reason CA DN: o=SIA, c=ES CA’s digital signature on the CRL 11
Keys in the client Key generation Issue certificates o Certificate validation Key usage Expired Key update 12
PKI Web E-mail Applicati Applicati ERP’s, ERP’s, Legacy Legacy Application Application on on SSO, ... SSO, ... app. app. without PKI- without PKI- PKI-enabled PKI-enabled GSS-API, GSS-API, Enabled module Enabled module Application CAPI, ... Toolkits Toolkits PKI-Enable PKI-Enable Application CAPI, ... PKI PKI module module PKI client PKCS#11 BAPI ID in disk (MemoryCard (Biometric LDAP PKIX-CMP s, API) SmartCards, SmartCards, .ep PC/SC) Biometric Biometric f devices devices Directorio PKI 13
Architecture: Example Client CA PKIX-CMP Firewall LDAP RA Directory 14
Application Internet e-Commerce Remote Access EDI VPN (Virtual Private Network) ERPs Security in Intranet Secure Single-Sign On 15
Internet Application Secure Web Communications •Netscape/Microsoft Browsers Netscape/Microsoft •Netscape/Microsoft Servers Netscape/Microsoft •muchos mas ... Secure e-mail •Novel GroupWise •Lotus Notes •Netscape Messenger •Microsoft Outlook •cc:Mail 16
Secure Remote Acess Remote Access Authentication •Security Dynamics •LeeMah DataComm •CryptoCard •Secure Computing (SafeWord) SafeWord) Remote Access •Digital Pathways (Defendor) Defendor) Authentication Firewalls •Application specific CheckPoint (Firewall-1) Firewall- implementations Raptor Systems (Eagle) Eagle) MilkyWay (Blackhole) Blackhole) TIS (Gauntlet) (Gauntlet) ANS (Interlock) (Interlock) Secure Computing FireWalls (Sidewinder) Sidewinder) & Routers Border Network (Borderware) Borderware) IBM (NetSP) (NetSP) Harris Systems' Systems' (CyberGuard) CyberGuard) Remote user Sagus Security (Defensor) Routers •Cisco •Ascend •Bay Networks •BBN 17
VPNs Intranet Virtual Private Networks Extranet •Firewall Vendors (Ej. FW-1) FW- •Link Encryptors •Security Dynamics SecurVPN •Entrust/Access Entrust/Access •KyberPass End Users 18
Security in the Intranet Application Specific Network Security Security •McAfee Network Security Suite •RACF, ACF2, TopSecret •NetLock •Application level passwords •Cygnus (KerbNet) KerbNet) •Proprietary data security (Notes) •Other (via RSA toolkits) toolkits) Network Security •Encrypt the traffic •Secure access to resources Application Specific Security •Databases (Oracle…) Oracle… •Heritage applications (Mainframe...) Mainframe...) •GroupWare (Notes…) (Notes… 19
Desktop security File Security •Norton Your Eyes Only •PGP for Personal Privacy •Querisoft SecureFILE •McAfee VirusScan Security Suite •RSA SecurPC •AT&T SecretAgent •Entrust ICE •Email •Entrust Entelligence •Files •Client/Server Client/Server apps •E-forms •Browsers Y más... má
Enterprise Resource Planning (ERPs) Business-to-Business ERP •SAP/R3 •PeopleSoft Client/Server •Oracle services •... Client to server security Web services 21
PKI: Homogeneous solution Specific systems Web Server Security •E-Commerce especifica •Internet Banking •Databases (Oracle, ...) Oracle, •Secure Web Sites s •Mainframe •GroupWare Network Security •Traffic cyphering •Secure Access Firewalls & Routers Remote PKI ERP Authentication •SAP/R3 VPN’s VPN’ •PeopleSoft •Oracle •... Internet Users Desktop Security •Secure Web •Email •Secure Mail •Files •E-Commerce (SET) •Client/Server apps Client/Server •E-forms •Browsers And more...
PKIs Success (I) Integration with the software applications. Practical solutions--> Bye, bye SET. Users recognition. Trust. Do you trust CA? What or who used my private key? Is my PC safe? Security issues in the OS or the browser (crypto Software) Is your private key in a smart card? 23
PKIs Success (II) Are the certification practices secure(CPS)? The CA must guarantee that the signed data (certificate) is correct. There is a risk if you trust the user. Do you verify the certificate from the web server in a SSL connection? To learn more: “Ten risks of PKIs: What you´re not being told about Public key Infrastructure” by Bruce Schneier and Carl Ellison 24
e-DNI Smart Card Polycarbonate card with high security from FNMT Certificates Identity (authentication) and signature (non-repudiation) certificates No encryption certificate PKI Providers: Entrust, Safelayer Hierarchy of CAs (root and Subordinate CAs) 25
e-DNI. Questions (I) Are other certificates necessary? Certificate status validation methods. Cross-Certification with commercial CAs? 26
e-DNI. Questions (II) Other certificates? YES, because No encryption certificate. So, to support business protection, where there is encrypted data, a decryption is necessary(private) key backed up---> Encryption certificate Physical identity. What about legal entities? Use of certificate with other information. For example, medical data (medical smartacard) Use in private sector: home-banking, corporate Enterprise smartcard, etc 27
e-DNI. Questions (III) Certificate status validation methods The system should ensure that the verification certificate is valid (and not on CRL) If an entity would like technical interoperability with e-DNI system, it is necessary to know the certificate status. 28
e-DNI. Questions (IV) Certificate status validation methods Different validation entities Public: relations of citizens with the Administration ---> free?? Private sector: Bank, insurance, etc. Money, money...$$?? Cost of the validation: free, by price (and how much?) 29
e-DNI. Questions (V) Cross-Certification with other CAs? NO, because The same as the traditional national DNI.(ID Card) Issued by DGP (Ministry of Interior). It is a legal document in Spain If you just accept it will happen. Do you give state and private organization sectors the same level of trust? 30
Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make the license terms of this work clear to others. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 31
@ FIST Conference Raúl Guerra Madrid, September 2005 www.fistconference.org

Empfohlen

The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-BoxChin Wan Lim
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Webinar: Distributed OSGi nodes with Spagic
Webinar: Distributed OSGi nodes with SpagicWebinar: Distributed OSGi nodes with Spagic
Webinar: Distributed OSGi nodes with SpagicSpagoWorld
 

Empfohlen

The Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs DeveloperThe Belgian E Id Hacker Vs Developer
The Belgian E Id Hacker Vs Developerbeires
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-BoxChin Wan Lim
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Webinar: Distributed OSGi nodes with Spagic
Webinar: Distributed OSGi nodes with SpagicWebinar: Distributed OSGi nodes with Spagic
Webinar: Distributed OSGi nodes with SpagicSpagoWorld
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introductionAvirot Mitamura
 
OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012Nov Matake
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -Naoto Miyachi
 
Digital signature 3
Digital signature 3Digital signature 3
Digital signature 3Ankita Dave
 
Presentation of Crypton Studio
Presentation of Crypton StudioPresentation of Crypton Studio
Presentation of Crypton StudioIgorUstinov6
 
SmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseSmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseOKsystem
 
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)TrustBearer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
5 Cryptography Part2
5 Cryptography Part25 Cryptography Part2
5 Cryptography Part2Alfred Ouyang
 

Weitere ähnliche Inhalte

Was ist angesagt?

TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Agile Set, LLC
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introductionAvirot Mitamura
 
OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012Nov Matake
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -Naoto Miyachi
 
Digital signature 3
Digital signature 3Digital signature 3
Digital signature 3Ankita Dave
 
Presentation of Crypton Studio
Presentation of Crypton StudioPresentation of Crypton Studio
Presentation of Crypton StudioIgorUstinov6
 
SmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseSmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseOKsystem
 
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)TrustBearer
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOSylvain Maret
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud IdentityMark Diodati
 

Was ist angesagt? (20)

TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3Neumann 24727 B10.12 Update 20091029 AM R3
Neumann 24727 B10.12 Update 20091029 AM R3
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introduction
 
OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
今更聞けない電子認証入門 - OAuth 2.0/OIDCからFIDOまで -
 
Digital signature 3
Digital signature 3Digital signature 3
Digital signature 3
 
Presentation of Crypton Studio
Presentation of Crypton StudioPresentation of Crypton Studio
Presentation of Crypton Studio
 
SmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterpriseSmartCard Forum 2010 - Secured Access for enterprise
SmartCard Forum 2010 - Secured Access for enterprise
 
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
Oberthur's 2009 CTST presentation on Generic ID-Card Command Set (GICS)
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
 
Strong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSOStrong Authentication State of the Art 2012 / Sarajevo CSO
Strong Authentication State of the Art 2012 / Sarajevo CSO
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 

Ähnlich wie PKI Interoperability

Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
5 Cryptography Part2
5 Cryptography Part25 Cryptography Part2
5 Cryptography Part2Alfred Ouyang
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based EncryptionVertoda System
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfxlynettalampleyxc
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information securityDevam Shah
 
iOS In-App-Purchase verifying receipt locally in Swift
iOS In-App-Purchase verifying receipt locally in SwiftiOS In-App-Purchase verifying receipt locally in Swift
iOS In-App-Purchase verifying receipt locally in SwiftKaz Yoshikawa
 
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...DevOps.com
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginNovell
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 

Ähnlich wie PKI Interoperability (20)

Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
5 Cryptography Part2
5 Cryptography Part25 Cryptography Part2
5 Cryptography Part2
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdfDefine PKI (Public Key Infrastructure) and list and discuss the type.pdf
Define PKI (Public Key Infrastructure) and list and discuss the type.pdf
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information security
 
iOS In-App-Purchase verifying receipt locally in Swift
iOS In-App-Purchase verifying receipt locally in SwiftiOS In-App-Purchase verifying receipt locally in Swift
iOS In-App-Purchase verifying receipt locally in Swift
 
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...
Workshop: Successfully Secure DevOps Containerization and Orchestration Deplo...
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLogin
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
De mystifying pki
De mystifying pkiDe mystifying pki
De mystifying pki
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 

Mehr von Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Mehr von Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 

Kürzlich hochgeladen

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Kürzlich hochgeladen (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

PKI Interoperability

  • 1. FIST Conference September/Madrid 2005 PKI Interoperability Raúl Guerra Jiménez
  • 2. About the Author Raúl Guerra Jiménez CISSP, CISA Technical consultant Grupo SIA 1989 www.siainternational.com 2
  • 3. Index Cryptography Public Key Infrastructure (PKI) Applications Integration e-DNI 3
  • 4. Security Requirements Confidentiality. Ensure confidentiality of data. Integrity. The original data has not been changed. Authentication. Proof of identity. Non Repudiation. Prevent denial of transaction. The originator cannot deny it. 4
  • 5. Paradigm Solution CONFIDENTIALITY INTEGRITY AUTHENTICATION NON-REPUDIATION HASH ENCRYPTION DIGITAL SIGNATURE PUBLIC KEY ENCRIPTION DIGITAL CERTIFICATE CERTIFICATION AUTHORITY PUBLIC KEY INFRASTRUCTURE (PKI) 5
  • 6. PKIs are not CAs… PKI: • Issue certificates • Revoke certificates • Key management – Creation CA: – store • Issue certificates – Update • Revoke certificate – backup/recovery • Cross-certification • Certificate Repository (Directory) • Application software • RA (Registration Authority) • Client • etc
  • 7. Third-party trust Certification Authority Trust Trust Raúl Raquel “third-party trust” 7
  • 8. Cross-Certification Cross-Certification Certificaction Authority Certification Authority third-party trust Alicia Juan Elena Pedro AC “A” AC “B” 8
  • 9. Subordinate CA CA1 (“Root”) CA2 CA3 CA4 CA5 CA6 CA7 U1 U2 U3 U4 U5 U6 U7 U8 U9 Classical trust-model has no end root
  • 10. The certificate Version: 3 Serial Number: 8391037 Signature: RSA Issuer: o=SIA, c=ES Validity: 1/5/97 1:02 - 7/5/98 1:02 Subject: cn=Raúl Guerra, o=SIA, c=ES Subject Public Key Info: ---------------------------------------------------- Extensions SubjectAltName: rguerra@sia.es CRL DP:cn=CRL2, o=SIA, c=ES The CA signs the certificate 10
  • 11. Certificate Revocation List Unique name of CRL DN: cn=CRL2, o=SIA, c=ES Period of validity Start: 1/5/97 1:02 End: 1/6/97 1:02 Revoked: Serial number 191231 4/24/96 10:20 Cessation of of Operation Revoked 123832 4/25/ 16:20 Key Compromise certificates 923756 4/25 16:30 Affiliation Change and reason CA DN: o=SIA, c=ES CA’s digital signature on the CRL 11
  • 12. Keys in the client Key generation Issue certificates o Certificate validation Key usage Expired Key update 12
  • 13. PKI Web E-mail Applicati Applicati ERP’s, ERP’s, Legacy Legacy Application Application on on SSO, ... SSO, ... app. app. without PKI- without PKI- PKI-enabled PKI-enabled GSS-API, GSS-API, Enabled module Enabled module Application CAPI, ... Toolkits Toolkits PKI-Enable PKI-Enable Application CAPI, ... PKI PKI module module PKI client PKCS#11 BAPI ID in disk (MemoryCard (Biometric LDAP PKIX-CMP s, API) SmartCards, SmartCards, .ep PC/SC) Biometric Biometric f devices devices Directorio PKI 13
  • 14. Architecture: Example Client CA PKIX-CMP Firewall LDAP RA Directory 14
  • 15. Application Internet e-Commerce Remote Access EDI VPN (Virtual Private Network) ERPs Security in Intranet Secure Single-Sign On 15
  • 16. Internet Application Secure Web Communications •Netscape/Microsoft Browsers Netscape/Microsoft •Netscape/Microsoft Servers Netscape/Microsoft •muchos mas ... Secure e-mail •Novel GroupWise •Lotus Notes •Netscape Messenger •Microsoft Outlook •cc:Mail 16
  • 17. Secure Remote Acess Remote Access Authentication •Security Dynamics •LeeMah DataComm •CryptoCard •Secure Computing (SafeWord) SafeWord) Remote Access •Digital Pathways (Defendor) Defendor) Authentication Firewalls •Application specific CheckPoint (Firewall-1) Firewall- implementations Raptor Systems (Eagle) Eagle) MilkyWay (Blackhole) Blackhole) TIS (Gauntlet) (Gauntlet) ANS (Interlock) (Interlock) Secure Computing FireWalls (Sidewinder) Sidewinder) & Routers Border Network (Borderware) Borderware) IBM (NetSP) (NetSP) Harris Systems' Systems' (CyberGuard) CyberGuard) Remote user Sagus Security (Defensor) Routers •Cisco •Ascend •Bay Networks •BBN 17
  • 18. VPNs Intranet Virtual Private Networks Extranet •Firewall Vendors (Ej. FW-1) FW- •Link Encryptors •Security Dynamics SecurVPN •Entrust/Access Entrust/Access •KyberPass End Users 18
  • 19. Security in the Intranet Application Specific Network Security Security •McAfee Network Security Suite •RACF, ACF2, TopSecret •NetLock •Application level passwords •Cygnus (KerbNet) KerbNet) •Proprietary data security (Notes) •Other (via RSA toolkits) toolkits) Network Security •Encrypt the traffic •Secure access to resources Application Specific Security •Databases (Oracle…) Oracle… •Heritage applications (Mainframe...) Mainframe...) •GroupWare (Notes…) (Notes… 19
  • 20. Desktop security File Security •Norton Your Eyes Only •PGP for Personal Privacy •Querisoft SecureFILE •McAfee VirusScan Security Suite •RSA SecurPC •AT&T SecretAgent •Entrust ICE •Email •Entrust Entelligence •Files •Client/Server Client/Server apps •E-forms •Browsers Y más... má
  • 21. Enterprise Resource Planning (ERPs) Business-to-Business ERP •SAP/R3 •PeopleSoft Client/Server •Oracle services •... Client to server security Web services 21
  • 22. PKI: Homogeneous solution Specific systems Web Server Security •E-Commerce especifica •Internet Banking •Databases (Oracle, ...) Oracle, •Secure Web Sites s •Mainframe •GroupWare Network Security •Traffic cyphering •Secure Access Firewalls & Routers Remote PKI ERP Authentication •SAP/R3 VPN’s VPN’ •PeopleSoft •Oracle •... Internet Users Desktop Security •Secure Web •Email •Secure Mail •Files •E-Commerce (SET) •Client/Server apps Client/Server •E-forms •Browsers And more...
  • 23. PKIs Success (I) Integration with the software applications. Practical solutions--> Bye, bye SET. Users recognition. Trust. Do you trust CA? What or who used my private key? Is my PC safe? Security issues in the OS or the browser (crypto Software) Is your private key in a smart card? 23
  • 24. PKIs Success (II) Are the certification practices secure(CPS)? The CA must guarantee that the signed data (certificate) is correct. There is a risk if you trust the user. Do you verify the certificate from the web server in a SSL connection? To learn more: “Ten risks of PKIs: What you´re not being told about Public key Infrastructure” by Bruce Schneier and Carl Ellison 24
  • 25. e-DNI Smart Card Polycarbonate card with high security from FNMT Certificates Identity (authentication) and signature (non-repudiation) certificates No encryption certificate PKI Providers: Entrust, Safelayer Hierarchy of CAs (root and Subordinate CAs) 25
  • 26. e-DNI. Questions (I) Are other certificates necessary? Certificate status validation methods. Cross-Certification with commercial CAs? 26
  • 27. e-DNI. Questions (II) Other certificates? YES, because No encryption certificate. So, to support business protection, where there is encrypted data, a decryption is necessary(private) key backed up---> Encryption certificate Physical identity. What about legal entities? Use of certificate with other information. For example, medical data (medical smartacard) Use in private sector: home-banking, corporate Enterprise smartcard, etc 27
  • 28. e-DNI. Questions (III) Certificate status validation methods The system should ensure that the verification certificate is valid (and not on CRL) If an entity would like technical interoperability with e-DNI system, it is necessary to know the certificate status. 28
  • 29. e-DNI. Questions (IV) Certificate status validation methods Different validation entities Public: relations of citizens with the Administration ---> free?? Private sector: Bank, insurance, etc. Money, money...$$?? Cost of the validation: free, by price (and how much?) 29
  • 30. e-DNI. Questions (V) Cross-Certification with other CAs? NO, because The same as the traditional national DNI.(ID Card) Issued by DGP (Ministry of Interior). It is a legal document in Spain If you just accept it will happen. Do you give state and private organization sectors the same level of trust? 30
  • 31. Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make the license terms of this work clear to others. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 31
  • 32. @ FIST Conference Raúl Guerra Madrid, September 2005 www.fistconference.org